CAll Us: +1 888-999-8231 Submit Ticket
Getting Started With File Permissions

Getting Started With File Permissions

Getting started with file permissionsFile permissions are an important aspect to consider for any website. This is even more important in a shared hosting environment, since neighboring clients can potentially read or write to your files if the permissions are configured incorrectly.

Even just the ability to read files can expose sensitive information from site configuration files, such as the credentials necessary to access your database. The ability to write or alter your files could allow others to use your site to run malicious code, spread malware, or perform any other number of unwanted activities, including vandalizing your site.

 

Why Are File Permissions Important?

While file permissions are important in any hosting environment, this article will be dealing specifically with current Hostdedi hosting environments. If file permissions are new to you, ask your service provider about best practices pertaining to your specific environment before making any changes.

Before attempting to set or alter permissions, you should first understand how they are represented on a typical web server.

Permissions are granted to three categories: user, group, and other. The user is the user on the system that owns the file. On Hostdedi systems, the group owner will typically be the user. On other hosts, you may have shared groups set up for the web server, FTP processes, and so on. In this context, “other” means absolutely any user having access to the system, including the group and owner.

 

What File Permissions Are There?

Each of the above categories can be granted three standard permissions: read, write, and execute.

The read permission allows a user to see the contents of the file. The write permission allows users to alter the contents of a file. The execute permission gives a user the ability to run a file if the file type is executable on the system, or can be run within a directory. This would not typically grant any special abilities on a normal image file.

The read, write, and execute permissions are typically represented in two forms. One form is the letters r (read), w (write), x (execute).

 

Octal Form File Permissions

The other form is known as an octal form, where 4 represents read, 2 represents write, and 1 represents execute.  

If more than one permission is being granted, the numbers are added together, with the numbers shown in the order, user–group–other. For example, permissions of 700 would mean the file owner (user) has read, write, and execute permissions, but the group and everyone else has no permissions. If the permissions were set to 600, the file owner would have read and write privileges (4+2), with all others having no permissions. 777 grants read, write, and execute access to all users.

One special, helpful permission, is the setgid permission. Using this on a directory will cause any file created in the directory to inherit the same group as the parent directory. There are other special permissions, as well as access control lists that can be applied to files and folders beyond the user, group, and other categories, but they are outside the scope of this article.  

 

Hostdedi File Permission Defaults

Current Hostdedi systems run the Apache web server as a separate user, so directories typically need “other” execute permission. This allows Apache to operate on the contents of the directories.

Apache needs read access for any .htaccess files used by your site, and read access to static files like CSS, JS, and image files. These permissions allow Apache to read and transmit files to the end client requesting them. All PHP files will be executed by your system user using PHP-FPM, and should typically only have permissions granted to the user.

Since PHP processes and application run as your user on the system, these files typically only need to be accessible by your user.

To summarize general permission settings for securing a web application:

  • Directories should be 711, which allow your user full access and allow the web service access to the directories to read static files.
  • PHP files and application configuration files should have permissions of 600, which allows only your user access.
  • Image files and static site assets such as CSS, JS, font files, and so on need permissions of 644, which allows Apache to serve these as expected without receiving a 403 or forbidden response.

 

Checking File Permissions

Two easy ways to check file permissions are with the stat and ll commands.

Issuing the stat command on a file does show much more information that simply the permissions, but on the first line that starts with Access: will show the permissions in both numerical and alphabetic forms. The stat below shows the permissions as 0660 or -rw-rw—- . Which would be user and group having read and write access but all others having not access.

 

  $ stat file.xyz 
  File: `file.xyz'
  Size: 0          Blocks: 0          IO Block: 4096 regular empty file
  Device: 807h/2055d Inode: 524917      Links: 1
  Access: (0660/-rw-rw----)  Uid: (1337/uzer) Gid: (1337/uzer)
  Access: 2018-07-19 15:01:42.000000000 -0400
  Modify: 2017-04-04 08:36:53.000000000 -0400
  Change: 2018-07-19 15:01:42.891553118 -0400



Using the ll command you will only receive the alphabetic form of the permissions, output from the same file above looks like the content below when using ll.

 

  ll file.xyz 
  -rw-rw---- 1 uzer uzer 0 Apr  4 2017 file.xyz

 

Setting File Permissions

The chmod command is used to change permissions, it accepts the permissions in several formats. Below we are changing the permissions to 600 for the file.xyz file.

 

  chmod 600 file.xyz

 

To express this in the non numeric way, we would use the command below. This would set it so the user has read and write access.

 

  chmod u+rw file.xyz

 

To add permissions so a user group can have read and write access, you would use the following syntax.

 

  chmod ug+rw file.xyz

 

Bulk File Permission Changes With the Chmod Command

Changing the permissions on a large number of files at once can be done by using the -r or recursive flag with the chmod command. You can also use the find command, in conjunction with the chmod command, to select certain files or file types and adjust their permissions.

An easy way to help secure file permissions across your site is to run the following commands from your web application root directory.

First we set all directory permissions to 711.

 

  find . -type d -exec chmod 711 {} ;

 

You may want to use the setgid on the directories, this would be set on all directories with the following command.

 

  find . -type d -exec chmod 2711 {} ;

 

Then we set all file permissions to 644 so your user has read and write access and your group and others have read access. This will allow Apache to access and serve static site files.

 

  find . -type f -exec chmod 644 {} ;

 

We would then want to go through and tighten security on all PHP files so only your user has access to them.

 

  find . -type f -name “*.php” -exec chmod 600 {} ;

 

After doing the above, you would want to manually change the permissions with chmod on any sensitive site files without the .php extension to 600. For something like Magento 1.X with a local.xml configuration file, the command would be the following, run from your web application root:

 

  chmod 600 app/etc/local.xml 

 

Application Specific Configuration Files

Below are some notable application-specific configuration files that should use 600 permissions exclusively. For additional security, some of the below applications also recommend moving directories containing configuration files outside of the website’s document root. If your application has been modified, some of these files may be in a different location, or there may be additional sensitive configuration files. When in doubt, contact your web host or development team.  

Magento 1.X

app/etc/local.xml

Magento 2.x

app/etc/env.php

WordPress

wp-config.php

Drupal

sites/default/settings.php

ExpressionEngine

system/expressionengine/config/config.php

Craft

craft/config/db.php

Posted in:
Linux, Security

Source link

The Dangers Of Exposed Git Repos

The Dangers Of Exposed Git Repos

The Dangers Of Exposed Git ReposStoring Git’s repository directory – the .git directory – in a publicly accessible area of a website may expose sensitive information that bad actors can use to steal data or compromise the site.

Git is a version control system and a major part of many development workflows. WordPress and Magento developers use Git to version control code and to collaborate on its development. Git itself is secure, but developers can cause security issues if they aren’t careful where version controlled code is stored.

In a recent survey of many millions of domains, security researcher Vladimír Smitka shows just how prevalent this misuse of Git is. After scanning more than 230 million domains, Smitka discovered 40,000 WordPress sites, 4,000 WooCommerce sites, and 2,000 with exposed .git directories.

Why Are Exposed Git Directories Bad For Security?

The .git folder contains records of every change made to a site’s code. That information is useful to bad actors looking for clues about vulnerabilities in the site. Information about how code is structured, which libraries are used and their versions, API endpoints, and other details about the site can be used by bad actors to develop a plan of attack. Ordinarily, this information is difficult to find, but an exposed .git repo makes life much easier for bad actors.

This situation is made worse if developers version control sensitive information such as database passwords and API keys. Sensitive data should never be stored in version control systems that are accessible to the public – in fact, they should not be stored in version control at all. Unfortunately, many developers do store sensitive information in Git repositories. If they also have .git in their web server’s public directory, the whole world can access them.

Does Your Site Serve A Git Repository To Visitors?

As Smitka points out, the straightforward method for finding a .git repository often doesn’t work. If a developer tries to visit https://example.com/.git they may receive a 403 error even if there is an exposed repository. The error is caused by a missing index.html file and configuration that denies directory listing.

However, a bad actor could visit https://example.com/.git/HEAD and, with a little trouble, access the sensitive information they want.

Mitigating The Problem

The best solution is the simplest. Don’t put sensitive data in Git repositories. Don’t keep .git in directories that are served by your web server. If you have decided that you need to keep version control information in a directory that would by default be publicly accessible, you can block access with a rule in the site’s .htaccess file.

There are various ways to block access to the .git directory, but Smitka has created a simple .htaccess rule that works well for Apache 2.4:

<Directory ~ "/.(?!well-known/)">
 Require all denied
</Directory>

This rule blocks access to all dot directories except .well-known, which is often used to provide site metadata to web clients. You will find a version suitable for Apache 2.2 here.

Posted in:
Security

Source link

eCommerce Login Attempts Are Almost Always Fraudulent

eCommerce Login Attempts Are Almost Always Fraudulent

Nine out of ten eCommerce login attempts are fraudulent. That is the key finding of an investigation of credential stuffing by Shape Security, a provider of online fraud prevention. Credential stuffing involves the use of stolen credentials to log in to customer accounts to buy products and take advantage of credit arrangements.

Online retailers are more likely to be targeted by credential stuffing because it is common for shoppers to reuse the same credentials on different sites and because automating the eCommerce login process is straightforward compared to banks and other potential targets.

Credential stuffing starts with leaked usernames and passwords. Last year, over 2.3 billion username and password pairs were leaked by online services. Most of the leaked credentials came from Yahoo, which repeatedly exposed the credentials of billions of users. Tens of millions of credentials were leaked from poorly secured forums, databases, and servers. Millions more were leaked in phishing and malware attacks against users.

The usernames and passwords are gathered by criminals and used to make login attempts on eCommerce stores, banks, and social media accounts. The most sophisticated credential stuffing operations create bespoke login scripts that operate from dozens of locations.

The scripts make millions of login attempts with the leaked credentials on tens of thousands of stores. Shoppers use the same email address and password combination on multiple sites, so the leaked credentials can be used to successfully authenticate on many sites and eCommerce stores.

The criminals’ “conversion rates” are quite low: the best credential stuffers successfully authenticate on less than one percent of accounts, but credential stuffing generates significant revenue because credential stuffing is a high-volume, low-cost operation.

Once they have access, the criminals can steal user data, consume gift card balances, and place large fraudulent orders using stored or stolen credit card numbers. It is estimated that credential stuffing costs the US economy in excess of $5 billion per year.

Preventing Credential Stuffing

It is relatively easy to stop credential stuffing from a technological perspective. Implementing two-factor authentication on shopper accounts would be completely effective. Increasing the complexity of the login process would make it more difficult for criminals to automate attacks.

But neither of those methods appeal to eCommerce merchants because they have the unwanted side effect of reducing conversions. The eCommerce industry is incentivized to make it easier for shoppers to authenticate, not more difficult.

Alternatives include IP blacklists, which can be successful against less sophisticated attackers that don’t have access to large networks of proxy servers. Blacklisting is less effective against more sophisticated operations that use paid proxying services and botnets.

Credential stuffing is likely to remain a problem for as long as we use username and password combinations for authentication. Advanced authentication systems such as FIDO 2 are the most likely long-term solution because they provide simple and secure logins without shared secrets.

Posted in:
Security

Source link

Google Chrome Displays Insecure Warning On All HTTP Pages

Google Chrome Displays Insecure Warning On All HTTP Pages

Google AnalyticsOn July 24th, Google released Chrome 68, which will mark insecure any page loaded over an HTTP connection. The long-planned move means that any site that doesn’t have an SSL certificate that enables it to use HTTPS will be prominently marked as insecure in the browser’s search bar.

HTTP Security Setting

HTTPS is a secure version of HTTP, the protocol used to send data over the internet. With HTTP, data is sent in the clear: it can be intercepted and read by third parties in what is known as a man-in-the-middle attack.

HTTPS connections use SSL certificates to encrypt the data and validate the identity of the server sending it. Data traveling over an HTTPS connection can’t be intercepted and read by a man in the middle.

Historically, HTTPS was used on eCommerce stores and other sites that receive or transmit sensitive data. In the last few years, Google and security experts have encouraged much wider adoption, arguing that every site should be protected by HTTPS.

Chrome will now display warnings for every page that is not loaded over an HTTPS connection. That’s important for sites that don’t use HTTPS because most users are unlikely to understand exactly what is insecure about them.

The History Of Google’s Push For HTTPS Everywhere

Google has been gradually moving Chrome in this direction for the last several years. Pages were once marked as secure if they used HTTPS. Pages that didn’t were displayed with no message. Last year, Chrome began to display warnings on HTTP sites when the browser was in incognito mode or when the user was asked to enter information. From this month, Chrome will display a “secure” notice for HTTPS pages and an “insecure” notice for HTTP pages.

In September, Google will go a step further and remove the “secure” notification for HTTPS sites. And in October the warning on HTTP pages will change from a neutral color to a noticeable red.

In addition to encouraging sites by warning users in the browser, Google also gives sites with HTTPS a boost in search engine results. All else being equal, a page delivered over an HTTPS connection will rank higher than an HTTP page.

The State Of HTTPS

HTTPS adoption has skyrocketed in recent years. Eighty-four percent of sites loaded by Google Chrome use HTTPS. So do 83 of the top-100 sites. But a large number of smaller sites do not have an SSL certificate and they are likely to be hardest hit by the new warnings.

HTTPS is a good thing. It keeps users and hosting clients safe. Adding an SSL certificate to a site was once complex and expensive. That’s no longer the case. At Hostdedi, many of our WordPress, WooCommerce, and Magento hosting accounts include a free standard SSL certificate and we’re happy to help eCommerce retailers and site owners add a premium or extended validation SSL certificate to their site.

It’s likely that SSL will become ubiquitous in the near future. HTTPS is required by modern web technology like HTTP2 and Service Workers, which are the foundation of Progressive Web Apps. Magento is working on PWA solutions for eCommerce and developers have just started work on a feature plugin that will make WordPress and WooCommerce PWA-friendly.

If you would like more information about implementing SSL on your website or eCommerce store, our support team is waiting to hear from you.

Posted in:
Security

Source link

What Can We Do About IoT’s Security Problems?

What Can We Do About IoT’s Security Problems?

what-can-we-do-about-iots-security-problemsBy the end of this year, there will be billions of connected endpoints. The world has never seen a larger digital threat surface. And it has never seen one that is so poorly-secured.

“The ease with which hackers can exploit security vulnerabilities in these cheap and plentiful [IoT] devices is disturbing,” writes PivotNine Chief Analyst Justin Warren. “It threatens the reliability of the Internet upon which millions of people have come to depend…the flood of new Internet-connected devices only increases each year, as the hype train gathers speed and those with dreams of striking it rich join in with this latest gold rush.”

These vendors are not interested in security. They are not interested in the expenses involved in protecting data – whether business or consumer. They are interested in ease-of-use, cost of distribution, and time-to-market.

And they are largely interested in consumers, who do not have the same security concerns as businesses. Yet a smart thermostat or connected coffee maker can see use in an office just as easily as a home. Once such a device is patched into a corporate network, it is essentially an invitation to hackers.

Until the regulatory climate surrounding IoT devices matures, this will not change. There is currently no liability for vendors and manufacturers. There is no reason for most of them to care about cybersecurity.

It is therefore up to us – all of us – to take IoT security into our own hands:

 

  • Pursue a new mindset. The onus of corporate data security is still largely in the hands of employees – but they cannot be expected to secure the coming flood of endpoints. Your business must pursue new security practices and processes, such as automation and intelligent threat mitigation.
  • Train your staff. Cybersecurity training is more critical than ever. Update your awareness programs to incorporate the importance of IoT security, and include advice on how workers can protect their own smart hardware at home.
  • Understand your endpoints. Use an endpoint management solution that allows you to directly manage and monitor smart endpoints. You need more than EMM or MDM.
  • Segment nonessential devices. Your office coffee machine and thermostat do not need to be on your core network. Configure a guest network for non-essential endpoints, and isolate it from your business’s main network.
  • Automate your updates. In addition to working with vendors who pledge to take security seriously, ensure that IoT updates are applied automatically – there is no other way to keep all your endpoints up to date.
  • Configure every IoT device.  This includes changing the default username and password and testing each new device for vulnerabilities.  

 

From a cybersecurity perspective, the Internet of Things is a mess. But it also represents one of the best evolutions for both our personal and professional lives. That’s why there is no slowing the growth of IoT – the best you can do is prepare yourself for the risks it brings with it.

And now you know how to do exactly that.

Posted in:
Security

Source link

Three Signs Your Staff Don’t Take Security Seriously

Three Signs Your Staff Don’t Take Security Seriously

Cybersecurity is a constant balancing act between convenience and data protection. The former always wins, no matter how much IT professionals might wish otherwise. The consumerization of IT is at the heart of this issue.

Modern workers demand that the tools and applications they are provided in the workplace offer a user experience in-line with what they use in their personal life. When that demand is ignored, they are remarkably skilled at circumventing security protocols. They are interested in doing their jobs – not in adhering to IT’s expectations on how to protect their data.

Worse, even if you do manage to somehow strike a balance, security is not certain. Workers may still have a lax attitude towards protecting corporate data. Learning to recognize such an attitude is essential.

They Dislike Your IT Department

Your IT department should be seen by others within the organization as valuable members of the team. If workers consider them an impediment or roadblock to doing their jobs, that’s a sure sign something needs to change – both culturally and with your security processes. The divide between IT professionals and regular workers is a relic of the past.

Let’s leave it there.

They Overuse Consumer Apps And Devices

There is nothing wrong with the regulated use of consumer tools in the workplace. Some of them can actually be secure under the right conditions. But if every single worker in your business uses consumer apps instead of corporate ones, this signifies two things.

First, your corporate tools are inadequate. Second, your workers don’t understand the reason you mandate their usage. The first can only be solved by revisiting the toolkit you provide your employees – the second will require security awareness training.

They’re Careless

Do your workers still use old, insecure passwords? Do they even bother changing their default login information when given a new account? Do they use consumer file-sharing services and thumb drives for sharing sensitive data?

Most employees are well-intentioned, but ignorant. They might accidentally forward a document to the wrong recipient, or open a phishing email without realizing it’s not actually from their boss. Security awareness training is necessary to mitigate this carelessness.

Cybersecurity Is Serious Business

Your employees are your most valuable resource – but they are also your biggest cybersecurity headache. It is your job to teach them about the importance of good security practices. Show them how to properly use software, talk to them about the importance of a password manager, and inform them of how to recognize phishing scams and malicious emails (to name a few examples).

Because while many of them may be ignorant now, that doesn’t mean they should remain so. Do your part to help them take cybersecurity more seriously. Your customers and stakeholders will thank you for it – and you’ll be glad you made the effort.

Posted in:
Security

Source link

Are Your Admins Fed Up With Your Bad Security Protocols?

Are Your Admins Fed Up With Your Bad Security Protocols?

How well-equipped is your IT department? Do your administrators have everything they need to do their jobs effectively? If you don’t know the answers to those questions, you need to learn them.

These are the men and women who, at the end of the day, are your best (perhaps only) defense against the array of cyberthreats facing your business and its data. Treat them well and provide them with what they need, and they will keep your business secure. Mistreat them and expect them to spin gold from twine?

You may as well hand your files to a hacker yourself.

But how exactly can you tell if your administrators are frustrated and put-upon? What are the warning signs your IT department is under-resourced or understaffed? And more importantly, what can you do about it?

Your first step is to examine both workplace culture and the status of your own software and hardware:

  • You regularly hear employees talking about how difficult an administrator (or the entire department) is to deal with. Such a hostile relationship could indicate serious frustrations on both sides.
  • IT workers seem apathetic or disconnected when you interact with them – as though they don’t care about your organization.
  • Your IT systems have not been updated or improved in years.
  • Security updates and device provisioning are not automated – everything must be done manually.
  • Your executive board constantly pushes for new technology or functionality, simply because they can – not because they need it.
  • You find yourself regularly disregarding or ignoring the advice of your administrators (or notice colleagues doing the same).
  • If your organization is struck by a data breach, your administrators seem unsurprised by it.
  • You do not have security awareness or risk management training at your organization. Employees are simply left to their own devices.

When In Doubt, Communicate

It was once a common misconception that cybersecurity is solely the domain of IT. This idea is toxic. There needs to be an open dialogue between IT and every other department and executive within your organization.

In other words, the best way you can determine whether or not your administrators are happy with your business’s security practices is to simply talk to them. Ask them about what they need to better do their jobs. Ask them how they might improve organizational security posture.

Remember that you’re all in this together – and that by working together, you can achieve far more than you ever could divided.

Posted in:
Security

Source link

What Is Cryptomining Malware?

What Is Cryptomining Malware?

what-is-cryptomining-malwareCryptomining malware is a new form of malware that uses the resources of compromised servers and hosting accounts to generate cryptocurrencies like Bitcoin and Litecoin. Before a coin can be created, miners have to demonstrate “proof of work,” which involves computationally intensive mathematical operations. Legitimate miners buy powerful computers to do the hard work, but criminals use malware-infected machines.

Over the last few weeks the value of cryptocurrencies, particularly Bitcoin, has increased quickly. By using compromised machines to generate coins, criminals create a digital asset that can be converted into hard currency. Because the value of cryptocurrencies is rising, we can expect to see more frequent and sophisticated attacks through 2018.

Cryptocurrencies are based on blockchain technology. A blockchain is a distributed ledger, a data structure that records transactions and is shared, modified, and verified by many different network nodes. The ledger records transactions like transfers of coins between users, but also the creation of new coins. You can read more about how new coins are created here, but, in a nutshell, to create a coin a miner has to prove to the network that they have done an amount of work. Without the proof of work, it would be easy for anyone to make coins and individual coins wouldn’t be worth much.

In the early days of cryptocurrencies, creating coins was easy: they could be generated quickly on low-powered hardware. Over time, the amount of work needed increases, and today serious miners use clusters of machines with powerful GPUs. But the alternative to a few high-powered specialized machines is many low-powered machines like laptops and smartphones.

Cryptomining malware — code injected into websites via known vulnerabilities or installed along with pirate themes and plugins — allows its authors to run the proof-of-work calculations on large networks of compromised machines, generating coins with minimal investment.

One of the most popular pieces of cryptomining malware for WordPress sites is called Cloudflare.solutions, which has nothing to do with the real Cloudflare. Discovered earlier this year, cloudflare.solutions loads malicious cryptomining code. When a user opens a page on a compromised site, the malicious code runs and uses the device’s resources to perform mining operations. Hijacking the processor can degrade browser and device performance and diminish battery life.

In an unpleasant twist, cloudflare.solutions has recently been modified to include a keylogger that sends text entered into WordPress text entry fields, including password fields, to the criminals’ servers.

It should be mentioned that some “legitimate” publishers are taking advantage of cryptomining to generate revenue for their sites. I’ll avoid debating the ethics here, but it’s undeniable that a large number of cryptomining scripts found on the web are the result of exploited sites and are funneling money to criminal organizations.

The best way to avoid being infected by cryptomining malware is to follow standard WordPress security best practices: use two-factor authentication, update your WordPress site when new versions are released, and only install themes and plugins from trusted sources.

Posted in:
Security

Source link

Is Your WordPress Site As Secure As You Think?

Is Your WordPress Site As Secure As You Think?

WordPress is — as content management systems go — very secure. It’s the most targeted web application in the world, but it’s also the best protected. It is in the interest of many thousands of developers and users to seek and destroy any vulnerabilities that may find their way into the code of WordPress Core, themes, and plugins.

If a WordPress hosting client follows a few basic security best practices, the likelihood of a successful attack is slim. Security best practices include:

  • Updating WordPress, themes, and plugins as soon as new versions are released.
  • Getting themes and plugins from trustworthy sources.
  • Using long, random passwords. Or, even better, using two-factor authentication.
  • Not sharing passwords with third-parties.

But everyone who manages a website has to face the reality that their site may be targeted, and if it is targeted, it may be compromised. It’s not enough to follow security best practices. You also have to keep an eye out for signs of compromise. But what does a compromised site look like?

Criminals don’t want you to know when your site has been compromised. The longer they remain hidden, the longer they can use a site to distribute malware, send spam, and inject their SEO links. A site that looks perfectly fine to you might, in fact, be spewing spam and infecting your visitors.

The solution is automated vulnerability and malware scanning. Vulnerability and malware scanners are capable of monitoring a site for signs of malicious software or known software vulnerabilities and alerting you to them.

For occasional scans, there are several excellent online tools that you should be aware of.

  • GravityScan is an online vulnerability and malware scanner from the team behind the Wordfence security plugin. It will check a site for both malware and software vulnerabilities.
  • Sucuri SiteCheck is similar to GravityScan, providing much the same malware and vulnerability checking.

An external web-based scanner is a good option to have, but they aren’t as capable as dedicated security plugins which have greater access to a site and its files.

Wordfence Security is the most popular WordPress security plugin, and it includes a host of features to keep WordPress sites secure, including malware, vulnerability, and backdoor scanning, and a Web Application Firewall capable of repelling known attacks. The premium version of this plugin adds real-time updating of firewall rules, more frequent scans, and two-factor authentication.

Wordfence’s main competitor is the Sucuri Security plugin. Sucuri includes file integrity monitoring, remote malware scanning, and security hardening. The premium version includes a website firewall that can protect a WordPress site against the exploitation of software vulnerabilities, brute force attacks and denial of service attacks.

For most sites, a plugin is probably a better solution than a web service. The plugins we’ve discussed automatically alert site owners when they discover a problem. Relying on your memory to prompt you to regularly use the web scanning tools is probably not the most effective approach.

Posted in:
Security, WordPress

Source link

Ransomware Could Soon Hold Your Data Hostage

Ransomware Could Soon Hold Your Data Hostage

In 2017, global ransomware attacks like WannaCry and NotPetya rocked the world, devastating both businesses and government organizations. Troublesome though they were, they were only the beginning. Ransomware is on the rise, and it’s only going to get worse from here.

Criminals have realized that ransomware can act as both a data exfiltration method and as a distraction for a larger attack. They’ve realized that holding information for ransom can be just as lucrative as stealing and selling it. And they’ve realized that in all cases, ransomware requires almost no effort on their end.

In short, you need to do everything in your power to protect yourself – here’s where you can start.

Back Everything Up

The best defense against a ransomware attack is and always will be an air-gapped backup. By maintaining several copies of your data and images of your system both in an online repository and in an isolated, on-site backup server, you can ensure that any systems compromised by ransomware can simply be deleted. At that point, it’s just a matter of restoring your systems to working order.

Now, there’s a reason I recommend multiple backups – and that you keep multiple copies. Truth is, ransomware developers know that backup data is their main weakness. As such, they’ve started to target backups.

Educate Your Employees

Believe it or not, your employees are actually a bigger threat to your data than any external bad actors. Phishing scams, for example, are one of the chief delivery vessels for malware and ransomware. What that means is that if you don’t train your employees to recognize scams and socially-engineered attacks, there’s a good chance you’ll be dealing with ransomware sooner rather than later.

Host regular training sessions and establish a knowledge base your staff can draw on to help them stay secure.

Ransom-Proof Your Systems

The most troubling fact about WannaCry is the fact that it exploited a vulnerability that was several years old. Many of the victims that were targeted by the ransomware could have prevented infection if they’d simply kept their systems up to date. To that end, you need to apply security patches and updates the moment they become available – and wherever possible, avoid using outdated operating systems.

Additionally, it’s important that you ensure all systems on your network can be air-gapped on demand. That way, if ransomware does hit your network, you can isolate it before it causes widespread damage.

Don’t Let Hackers Hold You For Ransom

Ransomware isn’t going to stop being a problem. If anything, it’s only going to get worse – more advanced and sophisticated, and available as an attack method for more hackers than ever before. Defend yourself now, instead of wishing you did something later.

Posted in:
Security

Source link